Troubleshooting Port Forwarding

This lesson helps you investigate and identify the possible reasons for a DNAT rule that does not work as expected.

What is DNAT

A DNAT (Destination NAT) rule allows an incoming connection from the untrusted segment (i.e., the RED Zone) on a given port to be automatically redirected (forwarded) to an internal server on a given port, usually in the ORANGE zone. The set up of a DNAT rule is explained in this lesson, from which we borrow the scenario: An internal HTTPS web server located at 10.1.10.100, running on port 443, that should be reachable from the RED.

Troubleshooting DNAT rules

Before skimming through the list of troubleshooting options, you should consider the possibility of some values in the rules being wrong. More precisely, you should check that:

The internal server is reachable from the firewall (e.g., using curl <IP> or ping <IP>) from the Endian UTM Appliance's CLI)

The ports and protocols are correct, e.g., using netstat from the local HTTPS web server's CLI and checking that the output contains the lines (the PID 3657 may vary)

You may also want to try whether a connectionusing telnet <IP> <PORT>, to verify that the service runs and accepts commands. This proves useful to test services like FTP, SMTP, POP3, and also services that do not run on their defualt ports. In this case, a successful connection implies that the service is running, while an unsuccessful connection means that the service is not running.

Deactivate snort, the Intrusion Prevention System on the Endian UTM Appliance (under Menubar > Services > Intrusion Prevention > Intrusion Prevention System) and verify that the web server is reachable: In this case, there can be a snort rule that forbids access to the server.

Disable the content filter service on the Endian UTM Appliance (under Menubar > Proxy > HTTP > Contentfilter or Menubar > Proxy > HTTP > Web Filter) and verify that the web server is reachable: In this case, there can be a content filter rule that prevents accessing the system.

There are basically four points worth investigation in case a DNAT/port-forwarding may not work correctly, in a general setup:

Make sure all the ports, IP addresses, and protocols are correct. In other words, make sure that all the elements in the rule correctly refer to the services available on the Appliance, for example, if you have the HTTPS server running on port 8001, that the rule actually contains 8001 and not 443.

The Endian UTM Appliance is behind a NAT device. In this case there is a device like a router or another firewall between the Endian UTM Appliance and the Internet, which disallows direct incoming connections. The solution is to configure a port forwarding also on that device to the Endian UTM appliance’s RED IP, if this is possible.

The destination server has wrong default gateway. The server defined as the destination of a port forwarding rule is configured with a wrong gateway or no default gateway. Any incoming connection is therefore correctly directed to the target IP address, but due to a wrong gateway, packets sent as response will not be directed through the Endian UTM Appliance and will not reach the original source. The solution is to correct the wrong gateway on the server.

Another service or proxy is already listening on thedestination server's port. The port specified in the destination of the rule is already assigned to a service, so when you connect using the port forwarding rule, you do not see the expected service, but the one that was previously running. The solution is to temporarily disable port-forwarding, and check the correct ports of the running services on that port, issuing the following command on the CLI of the destination server:

root@endian:~# netstat -ntupl

Then you can modify the port of the port forwarding rule so that it points to the correct service. Suppose that on 10.1.10.100, port 8001 there is already another service listening, like e.g., the SSH server: when you create a port forwarding rule for HTTPS to port 8001, you will never reach the HTTPS server.